```
Home / Patient Access API

The Patient Access API Under CMS-0057-F

CMS-0057-F enhances the existing Patient Access API mandate — originally established in the 2020 CMS Interoperability and Patient Access final rule — by requiring impacted payers to surface prior authorization data and report annual API usage metrics to CMS.

```

What the Patient Access API Requires

The Patient Access API must allow patients to access their health data through third-party applications of their choice. Using HL7 FHIR Release 4.0.1 as the foundational standard, payers expose a standards-based endpoint secured with OAuth 2.0 and SMART App Launch protocols that any authorized consumer app can connect to.

Under CMS-0057-F, the Patient Access API must make the following data categories available:

Claims & Encounter Data

Adjudicated claims including provider remittances and patient cost-sharing, plus encounter data maintained by the payer.

Clinical Data (USCDI)

All data classes and elements in the content standard at 45 CFR 170.213, currently USCDI v1 (expiring Jan 2026) and USCDI v3.

Prior Authorization Information

New in CMS-0057-F: Active and historical prior authorization status, decisions, and associated details.

Laboratory Results

Lab results maintained by the payer as part of the patient's claims or clinical record.

Content Standard Auto-Update: CMS finalized a direct reference to 45 CFR 170.213, meaning the data content requirement automatically updates as ONC adopts new USCDI versions — payers won't need to wait for a new CMS rulemaking to know what to expose.

Compliance Dates

The prior authorization data enhancement to the Patient Access API must be live by the following dates:

Separately, annual Patient Access API metrics reporting to CMS begins January 1, 2026.

API Usage Metrics Reporting

Starting in 2026, impacted payers must annually report to CMS metrics about patient data requests made via the Patient Access API. This reporting requirement is designed to give CMS visibility into actual API utilization and help measure whether patients are benefiting from these data-sharing mandates.

Technical Standards

Required Standards

Strongly Recommended IGs

CMS strongly recommends that payers use specific HL7 Da Vinci Implementation Guides to supplement the required standards, including the CARIN Consumer Directed Payer Data Exchange IG for claims data and the Da Vinci PDex IG for payer data exchange profiles.

Voluntary Early Adoption of Updated Standards

Payers may voluntarily adopt newer versions of any required standard, specification, or IG before CMS formally adopts them through regulation — provided the updated version does not disrupt end users' ability to access data through the API.

Patient Privacy & Security

The Patient Access API leverages OAuth 2.0 and OpenID Connect to ensure that patients maintain granular control over which apps access their data. CMS emphasizes that implementation must align with HIPAA Privacy Rule requirements (45 CFR Parts 160 and 164), and patients' personal representatives may exercise data access rights on their behalf as permitted by applicable law.

CMS has expressed concern about ensuring that members of all communities can benefit from API-enabled app access — including individuals with disabilities, limited English proficiency, low literacy, and those facing geographic or economic barriers to technology adoption.

Terminology Change

CMS finalized terminology changes related to the Patient Access API that take effect on the final rule's effective date. This is a non-substantive update that does not change the underlying requirements but aligns regulatory language with current usage.

Next: Provider Access API → ← Back to Overview
```